pingiun/configuration.nix

## configuration.nix
let
  wireguardPort = 51820;

  tunnels = [ {
    ipv4Addr = { addr = "195.201.249.203"; suffix = 32; };
    ipv6Addr = { addr = "2a01:4f8:c2c:2b57::2"; suffix = 128; };
    wgPublicKey = "3WWr1zr3ry6KeAwr3Cw3mQsnBeLLUYs1DGa7iEwyAWA=";
  } ];

  mkAddrWithSuffix = (x: "${x.addr}/${toString x.suffix}" );

  server = { config, pkgs, ... }: {
    imports =
      [ # Include the results of the hardware scan.
        ./hardware-configuration.nix
      ];

    # Use the GRUB 2 boot loader.
    boot.loader.grub.enable = true;
    boot.loader.grub.version = 2;

    # Define on which hard drive you want to install Grub.
    boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only

    networking.hostName = "server.jelle.space"; # Define your hostname.

    # Set your time zone.
    time.timeZone = "Europe/Amsterdam";

    # List packages installed in system profile. To search, run:
    # $ nix search wget
    environment.systemPackages = with pkgs; [
      vim wireguard wireguard-tools
    ];
    boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];

    # List services that you want to enable:

    # Enable the OpenSSH daemon.
    services.openssh.enable = true;
    services.openssh.passwordAuthentication = false;

    # Hetzner needs a static configuration for ipv6
    networking.interfaces.ens3.ipv6.addresses = [ {
      address = "2a01:4f8:c2c:2b57::1";
      prefixLength = 64;
    } ];

    networking.defaultGateway6 = {
      address = "fe80::1";
      interface = "ens3";
    };

    # Enable proxying for the tunneling peers
    networking.interfaces.ens3.proxyARP = true;

    networking.wireguard.interfaces.wg0 = {
      ips = [ "10.4.0.1/24" "fd00:4242:0:1::1/64" ];

      listenPort = wireguardPort;

      privateKeyFile = config.deployment.keys.privkey-wireguard.path;

      allowedIPsAsRoutes = true;

      peers =
        # Tunneled peers, defined in top of file
        (map (p: {
         publicKey = p.wgPublicKey;
         allowedIPs = (map mkAddrWithSuffix [ p.ipv4Addr p.ipv6Addr ]);
        }) tunnels)
         ++
        [
          {
            publicKey = "j1N3Ca5R6deUM1IBpfrdkdGVoPVERvIIhW2aN7NdNH4=";
            allowedIPs = [ "10.3.0.0/16" ];
            endpoint = "213.124.166.73:51820";
          }
        ];
    };

    # Ip forwarding is needed for the tunnels
    boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = 1; "net.ipv6.conf.all.forwarding" = 1; };

    networking.firewall.enable = true;
    # Set to true by default, but included for expliciteness
    networking.firewall.allowPing = true;
    networking.firewall.allowedUDPPorts = [ wireguardPort ];
    # Needed for routing the tunnels?
    networking.firewall.checkReversePath = "loose";

    # Immutable users are nice to have
    users.mutableUsers = false;
    users.users.jelle = {
      isNormalUser = true;
      description = "Jelle Besseling";
      extraGroups = [ "wheel" ];
      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICunYiTe1MOJsGC5OBn69bewMBS5bCCE1WayvM4DZLwE jelle@Jelles-Macbook-Pro.local" ];
      passwordFile = config.deployment.keys.password-jelle.path;
    };

    users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1hSb1eyjoKjqIqfqy9rwf1ubSjnrXGZjBwPbhlN0u1 NixOps client key for personal" ];

    # This value determines the NixOS release with which your system is to be
    # compatible, in order to avoid breaking some software such as database
    # servers. You should change this only after NixOS release notes say you
    # should.
    system.stateVersion = "18.09"; # Did you read the comment?
    system.autoUpgrade.enable = true;

  };

in {
  personal = server;
}
	let
	wireguardPort = 51820;

	tunnels = [ {
	ipv4Addr = { addr = "195.201.249.203"; suffix = 32; };
	ipv6Addr = { addr = "2a01:4f8:c2c:2b57::2"; suffix = 128; };
	wgPublicKey = "3WWr1zr3ry6KeAwr3Cw3mQsnBeLLUYs1DGa7iEwyAWA=";
	} ];

	mkAddrWithSuffix = (x: "${x.addr}/${toString x.suffix}" );

	server = { config, pkgs, ... }: {
	imports =
	[ # Include the results of the hardware scan.
	./hardware-configuration.nix
	];

	# Use the GRUB 2 boot loader.
	boot.loader.grub.enable = true;
	boot.loader.grub.version = 2;

	# Define on which hard drive you want to install Grub.
	boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only

	networking.hostName = "server.jelle.space"; # Define your hostname.

	# Set your time zone.
	time.timeZone = "Europe/Amsterdam";

	# List packages installed in system profile. To search, run:
	# $ nix search wget
	environment.systemPackages = with pkgs; [
	vim wireguard wireguard-tools
	];
	boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];

	# List services that you want to enable:

	# Enable the OpenSSH daemon.
	services.openssh.enable = true;
	services.openssh.passwordAuthentication = false;

	# Hetzner needs a static configuration for ipv6
	networking.interfaces.ens3.ipv6.addresses = [ {
	address = "2a01:4f8:c2c:2b57::1";
	prefixLength = 64;
	} ];

	networking.defaultGateway6 = {
	address = "fe80::1";
	interface = "ens3";
	};

	# Enable proxying for the tunneling peers
	networking.interfaces.ens3.proxyARP = true;

	networking.wireguard.interfaces.wg0 = {
	ips = [ "10.4.0.1/24" "fd00:4242:0:1::1/64" ];

	listenPort = wireguardPort;

	privateKeyFile = config.deployment.keys.privkey-wireguard.path;

	allowedIPsAsRoutes = true;

	peers =
	# Tunneled peers, defined in top of file
	(map (p: {
	publicKey = p.wgPublicKey;
	allowedIPs = (map mkAddrWithSuffix [ p.ipv4Addr p.ipv6Addr ]);
	}) tunnels)
	++
	[
	{
	publicKey = "j1N3Ca5R6deUM1IBpfrdkdGVoPVERvIIhW2aN7NdNH4=";
	allowedIPs = [ "10.3.0.0/16" ];
	endpoint = "213.124.166.73:51820";
	}
	];
	};

	# Ip forwarding is needed for the tunnels
	boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = 1; "net.ipv6.conf.all.forwarding" = 1; };

	networking.firewall.enable = true;
	# Set to true by default, but included for expliciteness
	networking.firewall.allowPing = true;
	networking.firewall.allowedUDPPorts = [ wireguardPort ];
	# Needed for routing the tunnels?
	networking.firewall.checkReversePath = "loose";

	# Immutable users are nice to have
	users.mutableUsers = false;
	users.users.jelle = {
	isNormalUser = true;
	description = "Jelle Besseling";
	extraGroups = [ "wheel" ];
	openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICunYiTe1MOJsGC5OBn69bewMBS5bCCE1WayvM4DZLwE jelle@Jelles-Macbook-Pro.local" ];
	passwordFile = config.deployment.keys.password-jelle.path;
	};

	users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1hSb1eyjoKjqIqfqy9rwf1ubSjnrXGZjBwPbhlN0u1 NixOps client key for personal" ];

	# This value determines the NixOS release with which your system is to be
	# compatible, in order to avoid breaking some software such as database
	# servers. You should change this only after NixOS release notes say you
	# should.
	system.stateVersion = "18.09"; # Did you read the comment?
	system.autoUpgrade.enable = true;

	};

	in {
	personal = server;
	}